0

When attempting to boot a live OS via USB or CD, I get the secure boot error: "Image failed to verify with ACCESS DENIED". There is no SSD/HDD installed. Secure boot is enabled and while i know that disabling secure boot will allow me to boot to the Live OS, disabling secure boot will also allow any nasty malware to initialize and run, affecting the OS as it's being loaded into memory. I believe strongly that my firmware is infected, preventing live OS' from booting. The device is a lenovo thinkpad W541. Please advise

Improve this question
5
  • It's near impossible to infect UEFI firmware with malware due to the flashing process (step 1 verifies the UEFI firmware image's signing signature, and if it doesn't match, the UEFI firmware won't even boot into firmware update mode) - the only way I'm aware of is obtain the motherboard OEM's UEFI firmware signing key. A live OS on CD/DVD is by default read-only, so if you trusted the ISO prior to burning, it should still be trusted (with RW media, physical access to the CD/DVD would be required to compromise it). With a Live USB, format it & re-download the ISO, verifying its SHA256 hash
    – JW0914
    Commented Apr 2 at 13:47
  • (Cont'd...) The cause of the error could also be because whatever LiveUSB/CD is trying to be booted lacks a signed bootloader signature within the UEFI firmware's bootloader signature database. If that's the case after the ISO has been re-downloaded and it's hash verified prior to creating the LiveUSB/CD, an entry can be made on the UEFI firmware's Boot tab, else Secure Boot can be disabled if no drives are installed since there would be nowhere for malware to be written to even if it was on a LiveUSB/CD.
    – JW0914
    Commented Apr 2 at 13:56
  • 2
    Does this answer your question? How to Secure Boot EFI images signed with an installed custom key?
    – DrMoishe Pippik
    Commented Apr 2 at 15:22
  • Unfortunately, it doesn't. I used a live cd from linux pro magazine and i used rufus to create the bootable usb(s). They all worked literally for years and then one day i came home and out of the blue i ran into this issue. I have a problem with physical security where i live. While the technical know how necessary do something like this isnt common, it is possible. This is what leads me to believe that it is malware.
    – Ramzialzaki Weir
    Commented Apr 3 at 19:32
  • Learn.microsoft.com states that "All x86-based Certified For Windows PCs must meet requirements related to Secure Boot, which help protect you from rootkits while allowing you to run any OS you want. You have three options for running non-Microsoft operating systems: Use an OS with a certified bootloader. Because all Certified For Windows PCs must trust Microsoft's certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an open source bootloader capable of loading Linux is already available"
    – Ramzialzaki Weir
    Commented Apr 3 at 19:55

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .